Re: [Anima] rfc822Name use in Autonomic Control Plane document
Toerless Eckert <tte@cs.fau.de> Wed, 24 June 2020 03:08 UTC
Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58DEB3A03ED for <anima@ietfa.amsl.com>; Tue, 23 Jun 2020 20:08:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.65
X-Spam-Level:
X-Spam-Status: No, score=-1.65 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E93oh3NnXl0s for <anima@ietfa.amsl.com>; Tue, 23 Jun 2020 20:08:23 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [131.188.34.40]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB4063A02C1 for <anima@ietf.org>; Tue, 23 Jun 2020 20:08:22 -0700 (PDT)
Received: from faui48f.informatik.uni-erlangen.de (faui48f.informatik.uni-erlangen.de [131.188.34.52]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id 79735548068; Wed, 24 Jun 2020 05:08:17 +0200 (CEST)
Received: by faui48f.informatik.uni-erlangen.de (Postfix, from userid 10463) id 6D53F440043; Wed, 24 Jun 2020 05:08:17 +0200 (CEST)
Date: Wed, 24 Jun 2020 05:08:17 +0200
From: Toerless Eckert <tte@cs.fau.de>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: Brian E Carpenter <brian.e.carpenter@gmail.com>, Michael Richardson <mcr+ietf@sandelman.ca>, sean+ietf@sn3rd.com, Russ Housley <housley@vigilsec.com>, anima@ietf.org
Message-ID: <20200624030817.GA47499@faui48f.informatik.uni-erlangen.de>
References: <11428.1592266833@localhost> <a0face89-da68-f75d-4a57-4deb9d0f244d@gmail.com> <20200617024412.GA11992@kduck.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20200617024412.GA11992@kduck.mit.edu>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/sWI_nUixePldCffT1536nD4YYwY>
Subject: Re: [Anima] rfc822Name use in Autonomic Control Plane document
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jun 2020 03:08:25 -0000
On Tue, Jun 16, 2020 at 07:44:12PM -0700, Benjamin Kaduk wrote: > > > We already had this debate. > > > Some time ago. The WG decided. > > With all due respect, this is not the sole decision of the ANIMA WG to > make. If WGs had such authority then why bother with cross-area review? I probably still don't understand process well enough for a WG chair, but given how i am just here as an author ;-): Cross-WG review during IETF review time is fine but it looks to me as if this point in Russ' review does not raise to the level of SEC AD review consideration. Aka: Russ can perfectly have an opinion about encoding preferences, and so can have other WG groups, but we need to use real technical arguments to make our choices. There are 15 bullet points justifying and explaining the choice but the feedback reveived does not take any of them into account. > > > Three or four years ago, I think. > > > > Yes, this is relitigating an issue that was resolved a long time ago in discussing Ben's DISCUSS: > > I'm not sure I understand why you use the word "resolved" here: > > > https://mailarchive.ietf.org/arch/msg/anima/lnZ-ykqas487qih86sYNVsUGbsc > > In this message, I say that "I still feel like this is not the best > architectural choice" and that I will provide a sketch of an alternative in > my (then-)forthcoming ballot position; that ballot position retains the > Discuss-level concern about rfc822Name usage along with the promised > alternative. Yes. I felt bad for you investing that much amount of work into an alternate proposal without having a discussion about this point. I do not remember if the crucial points why binary enoding was a inferior and ecossytem overhead choice was in the drafts you read or if i added/improved them in reply to your suggestion. Its now in sectin 6.1.2 explanation points 2.2, 2.3, 2.4, 2.5, 3.2, 3.3, 3.5. > > The explanation is at https://tools.ietf.org/html/draft-ietf-anima-autonomic-control-plane-24#page-26 > > I appreciate that the attempted justification is clearly written; however, > I do not find it compelling. Russ did not, either, and I just heard back > from Sean Turner a few days ago to confirm that he supports Russ's > comments. (There should be a few other editorial-ish comments that came > out of that review that are still pending.) It is still not a technical discussion to simply reply to a list of 8 points "this is not compelling". As i asked in the reply to Russ: Show me RFC text that would prohibit what we do. Show me security issues. SHow me any technical issues. Show me how this concern is anything more than an opinion that should not raise to the level of SEC AD DISCUSS block. > > I believe it is incorrect IETF process to rediscuss this point yet again. > > (I'm not sure if the "yet again" refers to "after the WG decided" or "after > the (alleged) resolution of my first Discuss point".) > > If you believe the technical answer is clear and that I am in error to > continue to hold my Discuss point for it, are there not also clear IETF > processes to follow? E.g., asking for the "Single Discuss" ballot procedure > described at https://www.ietf.org/standards/process/iesg-ballots/? I > believe I have mentioned this option to Toerless previously; my apologies > if that is not the case. While I'm willing to continue discussing the > topic and pull in additional PKIX experts to weigh in, there is perhaps > some consideration to matters of expediency. My understand is that i have have not seen a technical argument for the DISCUSS, but just a suggestion for encoding preference. > > > I sure wish that we could use something else. > > > But, CAs and CA software make that very difficult. > > > > > > Given that the era of publically anchored Enterprise CAs is dead, there are > > > only two ways an (Enterprise) ACP Registrar is going to occur. > > > > > > 1) by running a private CA. > > > Sure anything is possible if you are writing your own code, but > > > most will not be doing that. (I've supported otherName in my code for > > > other purposes, and it's not that difficult, but it's not trivial either) > > > My experience with COTS CA systems it that it's really hard to > > > get them to do it. Please prove me wrong. > > (Sadly, I have zero experience with COTS CA systems; I know too much about > openssl at this point and would presumably be writing my own, in this > position.) And ossification in the wide range of vendor specific software that ACP ha to deal with is one reason to not use an encoding choice that maximizes the amount of ecossytem changes. > > > The most popular Enterprise CA software is the Microsoft CA. > > > > > > 2) by using ACME to speak to a hosted CA. Maybe WebPKI, maybe not. > > > Either way, getting otherName supported is even harder, because > > > nobody else uses it. > > Is the concern the ACME protocol support or just getting the hosted CA to > cope with it? The former seems like something that we could make happen in > the IETF, and the latter seems to have high overlap with point (1). So far, there is no defined integration ACME and ANIMA. We did discuss this in a side meeting last year, but didn't continue, and i would not want to bring this discussion into the fold now because the whole premise of ACP was to be standalone private networks where the only reason to look into any type of public PKI is to help outsourcing TA work overhead, and that does not need to be a typical PKI anyhow. Not saying that i wouldn't like to see ANIMA to integrate with ACME, but thats not a concern for this document but at best for followup work. > > > If we can't depend upon otherName being filled in, then we have to look for > > > two things. That means more code paths (two more) to test, more test > > > vectors, and what exactly does an end point do when both are present, BUT > > > THEY DO NOT MATCH? So three more pages of text there. > > > Remember, that just rejecting the certificate means that we have to send out > > > a truck, which is what ACP aims to avoid, so that won't be popular. > > > And of course, there could also be bugs (maybe even CVEs) in the code that > > > tries to deal with the tie. > > To be honest, this argument feels like a stronger one to me than the bits > in the -24. I'm still not willing to accept into the RFC Series a document > that violates the rules set down by the specification for the technology > it's making use of, but the refocus on the "running code" aspect is > appreciated. "violates the rules set down by the specification for the technology" ?? I have not seen any supporting evidence for that. the rfc822name is a perfect rfc822name formatted string. Cheers Toerless
- [Anima] rfc822Name "abuse" in Autonomic Control P… Michael Richardson
- Re: [Anima] rfc822Name "abuse" in Autonomic Contr… Brian E Carpenter
- Re: [Anima] rfc822Name use in Autonomic Control P… Benjamin Kaduk
- Re: [Anima] rfc822Name use in Autonomic Control P… Michael Richardson
- Re: [Anima] rfc822Name use in Autonomic Control P… Eliot Lear
- Re: [Anima] rfc822Name use in Autonomic Control P… Brian E Carpenter
- Re: [Anima] rfc822Name use in Autonomic Control P… Russ Housley
- Re: [Anima] rfc822Name use in Autonomic Control P… Brian E Carpenter
- Re: [Anima] rfc822Name use in Autonomic Control P… Sean Turner
- Re: [Anima] rfc822Name use in Autonomic Control P… Benjamin Kaduk
- Re: [Anima] rfc822Name use in Autonomic Control P… Brian E Carpenter
- Re: [Anima] rfc822Name use in Autonomic Control P… Michael Richardson
- Re: [Anima] rfc822Name use in Autonomic Control P… Russ Housley
- Re: [Anima] rfc822Name use in Autonomic Control P… Benjamin Kaduk
- Re: [Anima] rfc822Name use in Autonomic Control P… Toerless Eckert
- Re: [Anima] rfc822Name use in Autonomic Control P… Brian E Carpenter
- [Anima] Russ: Re: rfc822Name use in Autonomic Con… Toerless Eckert
- Re: [Anima] rfc822Name use in Autonomic Control P… Toerless Eckert
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Russ Housley
- Re: [Anima] rfc822Name use in Autonomic Control P… Russ Housley
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Brian E Carpenter
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Russ Housley
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Toerless Eckert
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Eric Rescorla
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Benjamin Kaduk
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Toerless Eckert
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Toerless Eckert
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Eric Rescorla
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Toerless Eckert
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Toerless Eckert
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Eric Rescorla
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Toerless Eckert
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Brian E Carpenter
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Russ Housley
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Russ Housley
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Russ Housley
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Toerless Eckert
- [Anima] No certs for noreply (was: Re: Russ: Re: … Toerless Eckert
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Russ Housley
- Re: [Anima] No certs for noreply (was: Re: Russ: … Russ Housley
- Re: [Anima] No certs for noreply (was: Re: Russ: … Toerless Eckert
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Toerless Eckert
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Russ Housley
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Eliot Lear
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Toerless Eckert
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Michael Richardson
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Toerless Eckert
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Michael Richardson
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Brian E Carpenter
- Re: [Anima] Russ: Re: rfc822Name use in Autonomic… Michael Richardson